Entrust: S/MIME OrgID Country not matching C field
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: bruce.morton, Assigned: bruce.morton)
Details
(Whiteboard: [ca-compliance] [smime-misissuance] Next update 2024-10-01)
Attachments
(1 file)
311 bytes,
text/csv
|
Details |
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
Assignee | ||
Comment 1•28 days ago
|
||
Preliminary Incident Report
Summary
Post-issuance linting identified three (3) S/MIME certificates where the jurisdiction of the organization represented in the Organization Identifier field did not represent the organization represented in the country field of the subject name as required by S/MIME BRs where section 7.1.4.2.8 states:
The CA SHALL:
- confirm that the organization represented by the Registration Reference is the same as the organization named in the organizationName field as specified in Section 7.1.4.2.1 within the context of the subject’s jurisdiction as specified in Section 7.1.4.2.4;
It was determined the certificates were mis-issued and must be revoked per S/MIME BR 4.9.1.1 item 11.
Impact
We identified three (3) S/MIME Sponsor-Validated certificates that were mis-issued where the jurisdiction of organization represented in the organization identifier field did not represent the organization represented in the country field of the subject name. These certificates were issued to Entrust as part of QA testing. The certificates will be revoked within the 5-day requirement.
Next steps
A full incident report including the root cause analysis, lessons learned, and action items will be posted per the CCADB full incident report requirement.
Updated•28 days ago
|
Assignee | ||
Comment 2•28 days ago
|
||
Affected certificates
Updated•27 days ago
|
Assignee | ||
Comment 3•25 days ago
|
||
Currently working on final incident report.
Assignee | ||
Comment 4•18 days ago
|
||
We are currently working on he final incident report which will be posted 2024-09-06.
Assignee | ||
Comment 5•17 days ago
|
||
Incident Report
Summary
Post-issuance linting identified three (3) S/MIME certificates where the jurisdiction of the organization represented in the organization identifier field did not match the organization represented in the country field of the subject name as required by S/MIME BRs where section 7.1.4.2.8 states:
The CA SHALL:
- confirm that the organization represented by the Registration Reference is the same as the organization named in the organizationName field as specified in Section 7.1.4.2.1 within the context of the subject’s jurisdiction as specified in Section 7.1.4.2.4;
It was determined the certificates were mis-issued and must be revoked per S/MIME BR 4.9.1.1 item 11.
Impact
We identified three (3) S/MIME Sponsor-Validated certificates that were mis-issued where the jurisdiction of organization represented in the organization identifier field did not match the organization represented in the country field of the subject name. These certificates were issued to Entrust as part of QA testing. The certificates were revoked within the 5-day requirement.
Timeline
All times are UTC.
2024-08-23:
- 19:09 Post-issuance pkilint logged a certificate error “cabf.smime.org_identifier_and_country_name_attribute_inconsistent”
- 19:09 linting system emailed the error to Support and Development; a case was created in the Support system
2024-08-26:
- 00:12 Support escalated case to development
- 12:21 Compliance team was advised of a certificate issuance error.
- 12:42 Compliance team confirmed the mis-issuance.
- 14:00 Compliance Response Team met to review the incident
- 14:02 It was determined that there was a verification issue, which allowed the organization identifier and the place of business to have different countries
- 15:31 Determined that only one Entrust QA account was impacted by the organization identifier jurisdiction error
- 16:53 Verification process updated to prevent organization identifier country inconsistency
- 17:30 Compliance Response Team follow-up meeting
- 22:05 All certificates were revoked.
Root Cause Analysis
Why was the organization identifier inconsistent with the place of business country?
The verification system did not check for consistency between the organization identifier and the place of business country fields.
Why was field consistency not checked?
When implementing the organization identifier, we overlooked the requirement for the registration reference to match other verified information, specifically the country value, as outlined in section 3.2.3 of the SMIME Baseline requirements.
Why was the requirement for the registration reference to match other verified information overlooked?
The EV Guidelines allow the jurisdiction country to be different to the place of business country. The S/MIME BR requirements gathering process assumed allowance of the inconsistency of the country for the registration reference (e.g., organization identifier) and other verified information (e.g., place of business country). Requirements gathering did not include full understanding of the S/MIME BRs to ensure the country values needed to be consistent.
Why were the S/MIME BRs not fully understood?
The requirements review and compliance process at the time of implementation did not ensure that each requirement in the S/MIME BRs was addressed.
Note: The Certificate Services Compliance Change Management Policy implemented effective July 2024 requires all compliance requirements to be explicitly listed, understood, and addressed.
Why were the mis-issued certificates not detected before signature?
The current S/MIME certificate issuance process does not produce a to-be-signed certificate (TBSCertificate) that can be linted pre-signing. As an interim solution, in our 14.0.1 release we updated our S/MIME issuance process to perform linting on certificates immediately after signing but before being made available to subscribers. When that change was deployed, the internal CPR design was not updated to notify the Support or Compliance teams immediately.
The upgrade to the S/MIME issuance is planned for our 14.1 release in November to make TBS Certificates available and to add linting to check for potential errors pre-signing.
Lessons Learned
What went well
- Errors were detected by pkilint and the Subscribers were not provided with mis-issued certificates
- The CPR was created, reviewed, and the mis-issued certificates revoked within the timelines required by the S/MIME BRs.
What didn't go well
- The certificate validation system did not detect the jurisdiction inconsistency
- Support did not immediately recognize the error email was a CPR
Where we got lucky
- Error was limited to one account and 3 certificates which were assigned to the Entrust QA team
Action Items
Action Item | Kind | Due Date |
---|---|---|
Update certificate validation system to prevent jurisdiction inconsistency | Prevent | 2024-09-30 |
Ongoing training of all team leaders and personnel on the Certificate Services Compliance Change Management Policy | Prevent | 2024-09-30 |
Implement pre-sign linting for S/MIME | Detect | 2024-11-30 |
Appendix
Details of affected certificates
Affected certificates have been posted per comment #2.
Updated•17 days ago
|
Description
•